mirror of
https://github.com/scratchfoundation/restify-cors-middleware.git
synced 2024-12-18 11:52:26 -05:00
101 lines
3.2 KiB
JavaScript
101 lines
3.2 KiB
JavaScript
//
|
|
// Based on the spec at http://www.w3.org/TR/cors/
|
|
// The test numbers correspond to steps in the specification
|
|
//
|
|
|
|
var request = require('supertest');
|
|
var should = require('should');
|
|
var test = require('./test');
|
|
|
|
describe('CORS: simple / actual requests', function() {
|
|
|
|
it('6.1.1 Does not set headers if Origin is missing', function(done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com']
|
|
});
|
|
request(server)
|
|
.get('/test')
|
|
.expect(test.noHeader('access-control-allow-origin'))
|
|
.expect(200)
|
|
.end(done);
|
|
});
|
|
|
|
it('6.1.2 Does not set headers if Origin does not match', function(done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com']
|
|
});
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://random-website.com')
|
|
.expect(test.noHeader('access-control-allow-origin'))
|
|
.expect(200)
|
|
.end(done);
|
|
});
|
|
|
|
it('6.1.3 Sets Allow-Origin headers if the Origin matches', function(done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com']
|
|
});
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect('access-control-allow-origin', 'http://api.myapp.com')
|
|
.expect(200)
|
|
.end(done);
|
|
});
|
|
|
|
it('6.1.3 Does not set Access-Control-Allow-Credentials header if Origin is *', function(done) {
|
|
var server = test.corsServer({
|
|
origins: ['*'],
|
|
credentials: true
|
|
});
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect(test.noHeader('access-control-allow-credentials'))
|
|
.expect(200)
|
|
.end(done);
|
|
});
|
|
|
|
it('6.1.3 Sets Access-Control-Allow-Credentials header if configured', function(done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com'],
|
|
credentials: true
|
|
});
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect('access-control-allow-credentials', 'true')
|
|
.expect(200)
|
|
.end(done);
|
|
});
|
|
|
|
it('6.1.4 Does not set exposed headers if empty', function(done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com']
|
|
});
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect('access-control-allow-origin', 'http://api.myapp.com')
|
|
.expect('access-control-expose-headers', /api-version/) // defaults
|
|
.expect(200)
|
|
.end(done);
|
|
});
|
|
|
|
it('6.1.4 Sets exposed headers if configured', function(done) {
|
|
var server = test.corsServer({
|
|
origins: ['http://api.myapp.com', 'http://www.myapp.com'],
|
|
exposeHeaders: ['HeaderA', 'HeaderB']
|
|
});
|
|
request(server)
|
|
.get('/test')
|
|
.set('Origin', 'http://api.myapp.com')
|
|
.expect('access-control-allow-origin', 'http://api.myapp.com')
|
|
.expect('access-control-expose-headers', /HeaderA, HeaderB/) // custom
|
|
.expect('access-control-expose-headers', /api-version/) // defaults
|
|
.expect(200)
|
|
.end(done);
|
|
});
|
|
|
|
});
|